Your documents, locked down.
Everything we do to keep contracts safe — explained plainly, without security theater.
The fundamentals.
Encryption in transit
Every connection to FusionDocs runs over TLS. Browsers, mobile apps, and webhook deliveries — same standard.
Tenant isolation
Your company's data never crosses to another company's. Multi-tenant isolation is enforced at the query layer of the application — every database query is automatically scoped to your company. There's no shared table, no shared row, no way for a teammate from another company to see your documents.
Tamper-evident audit trail
Every action on every document is logged: created, sent, viewed, signed, declined, completed, downloaded, reminded, voided. Each event captures the IP address, the user-agent, and the exact timestamp. The audit trail is bundled into a court-ready PDF on every completed document.
Soft-delete with restore
Deleted documents, templates, signers, and folders aren't immediately gone. They sit in a recoverable state for a configurable window, so an accidental delete is one click to restore.
Rate limiting on public endpoints
Signing routes are rate-limited per IP to prevent abuse on shared links. Bots can't brute-force a signing token.
Who's actually signing.
Default — email link with one-time token
Signers receive a unique signing link by email. The link is valid for a configurable window (default 7 days) and can only be used once. After signing, the token is invalidated.
Decline-with-reason
A signer who doesn't want to sign can decline and leave an explanation. The sender is notified. No one can “lose” a contract that the signer never engaged with.
Approver role
Separate from signers — an approver reviews before signers are invited. Useful for legal review or manager sign-off on what gets sent.
Operational hygiene.
Token-based API
The API is authenticated with bearer tokens (Laravel Sanctum). No session cookies, no CSRF concerns, mobile-friendly.
Background queue
Slow operations (DOCX-to-PDF conversion, mail-merge document generation, webhook delivery with retries) run in a background queue, so the request that triggered them doesn't block.
HMAC-signed webhooks
Outbound webhooks are signed with HMAC-SHA256 using a per-webhook secret. Your endpoint can verify the signature to confirm the payload came from us.
Webhook retries
Failed webhook deliveries are retried with backoff. Every attempt is logged. You can replay any failed delivery by hand from the dashboard.
Honest about the roadmap.
These are commonly asked for. They're not shipped today. If you need one of them for procurement, talk to us about timing:
- SSO with SAML 2.0
- SCIM auto-provisioning
- Hardware-key sign-in for senders (FIDO2 / WebAuthn)
- Independent SOC 2 Type II audit
- ISO 27001 certification
- HIPAA Business Associate Agreement (BAA)
- Independent third-party penetration test report
- Formal bug bounty program
- Specific data-residency choice (US vs EU as a customer setting)
We'll list them here as commitments only when there's a real date.
If you've found something.
How to report
Email: security@fusiondocs.com
Include:
- A description of the issue
- Steps to reproduce
- Any proof-of-concept (URL, payload, screenshot)
- Your name and how you'd like to be credited if we ship a fix
What we promise
- We'll acknowledge your report within two business days.
- We'll keep you informed as we triage and fix.
- We won't pursue legal action against researchers acting in good faith — don't access more data than necessary, don't disclose publicly until we've had a chance to fix.
What's in scope
- The marketing site (fusiondocs.com)
- The application (app.fusiondocs.com)
- The API (api.fusiondocs.com)
- Official mobile apps
What's out of scope
- Denial-of-service attacks
- Social engineering of FusionDocs employees
- Physical attacks
- Subprocessors and third-party services (report those upstream)
- Theoretical issues without a working proof-of-concept